API tools faq
paste
Advertisement
Guest User

Junos lo0.0 filter

a guest
Oct 24th, 2018
443
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.09 KB | None | 0 0
raw download clone embed print report
  1. First, we'll setup some handy prefix-lists we'll use in the filters.
  2.  
  3. set policy-options prefix-list v4-router-ifl apply-path "interfaces <*> unit <*> family inet address <*>"
  4. set policy-options prefix-list v6-router-ifl apply-path "interfaces <*> unit <*> family inet6 address <*>"
  5. set policy-options prefix-list v4-bgp-peers apply-path "protocols bgp group <*> neighbor <*>"
  6. set policy-options prefix-list v4-ipip-peers apply-path "interfaces <ip-*> unit <*> tunnel destination <*>"
  7. set policy-options prefix-list v4-ntp-servers apply-path "system ntp server <*>"
  8. set policy-options prefix-list snmp-client-list apply-path "snmp client-list <*> <*>"
  9. set policy-options prefix-list ospf 224.0.0.5/32
  10. set policy-options prefix-list ospf 224.0.0.6/32
  11. set policy-options prefix-list v4-mcast-all-routers 224.0.0.2/32
  12. set policy-options prefix-list localhost 127.0.0.0/8
  13. set policy-options prefix-list trusted <management-lan>/24
  14. set policy-options prefix-list trusted <lo0.0 address>/32
  15. set policy-options prefix-list trusted 127.0.0.0/8
  16. set policy-options prefix-list vpn-peers apply-path "security ike gateway <*> address <*>"
  17. set policy-options prefix-list v4-dns-servers apply-path "system name-server <*>"
  18.  
  19. Setup some policers.
  20.  
  21. set firewall policer manage-1m apply-flags omit
  22. set firewall policer manage-1m if-exceeding bandwidth-limit 1m
  23. set firewall policer manage-1m if-exceeding burst-size-limit 625k
  24. set firewall policer manage-1m then discard
  25. set firewall policer manage-5m apply-flags omit
  26. set firewall policer manage-5m if-exceeding bandwidth-limit 5m
  27. set firewall policer manage-5m if-exceeding burst-size-limit 625k
  28. set firewall policer manage-5m then discard
  29.  
  30. Next, we'll put together the filters.
  31.  
  32. set firewall family inet filter bad-frags apply-flags omit
  33. set firewall family inet filter bad-frags term bad-frags from is-fragment
  34. set firewall family inet filter bad-frags term bad-frags from protocol icmp
  35. set firewall family inet filter bad-frags term bad-frags then count bad-frags
  36. set firewall family inet filter bad-frags term bad-frags then discard
  37.  
  38. set firewall family inet filter ok-ospf apply-flags omit
  39. set firewall family inet filter ok-ospf term ok-ospf from source-prefix-list v4-router-ifl
  40. set firewall family inet filter ok-ospf term ok-ospf from destination-prefix-list v4-router-ifl
  41. set firewall family inet filter ok-ospf term ok-ospf from destination-prefix-list ospf
  42. set firewall family inet filter ok-ospf term ok-ospf from protocol ospf
  43. set firewall family inet filter ok-ospf term ok-ospf then accept
  44.  
  45. set firewall family inet filter ok-igmp apply-flags omit
  46. set firewall family inet filter ok-igmp term ok-igmp from protocol igmp
  47. set firewall family inet filter ok-igmp term ok-igmp then accept
  48.  
  49. set firewall family inet filter ok-bgp apply-flags omit
  50. set firewall family inet filter ok-bgp term ok-bgp from source-prefix-list v4-bgp-peers
  51. set firewall family inet filter ok-bgp term ok-bgp from protocol tcp
  52. set firewall family inet filter ok-bgp term ok-bgp from port bgp
  53. set firewall family inet filter ok-bgp term ok-bgp then accept
  54.  
  55. set firewall family inet filter ok-ntp apply-flags omit
  56. set firewall family inet filter ok-ntp term ok-ntp from source-prefix-list v4-ntp-servers
  57. set firewall family inet filter ok-ntp term ok-ntp from source-prefix-list localhost
  58. set firewall family inet filter ok-ntp term ok-ntp from protocol udp
  59. set firewall family inet filter ok-ntp term ok-ntp from port ntp
  60. set firewall family inet filter ok-ntp term ok-ntp then accept
  61.  
  62. set firewall family inet filter ok-snmp apply-flags omit
  63. set firewall family inet filter ok-snmp term ok-snmp from source-prefix-list snmp-client-list
  64. set firewall family inet filter ok-snmp term ok-snmp from protocol udp
  65. set firewall family inet filter ok-snmp term ok-snmp from port snmp
  66. set firewall family inet filter ok-snmp term ok-snmp then accept
  67.  
  68. set firewall family inet filter ok-ssh apply-flags omit
  69. set firewall family inet filter ok-ssh term ok-ssh from source-prefix-list trusted
  70. set firewall family inet filter ok-ssh term ok-ssh from protocol tcp
  71. set firewall family inet filter ok-ssh term ok-ssh from port ssh
  72. set firewall family inet filter ok-ssh term ok-ssh then accept
  73.  
  74. set firewall family inet filter ok-netconf apply-flags omit
  75. set firewall family inet filter ok-netconf term ok-netconf from source-prefix-list trusted
  76. set firewall family inet filter ok-netconf term ok-netconf from protocol tcp
  77. set firewall family inet filter ok-netconf term ok-netconf from port 830
  78. set firewall family inet filter ok-netconf term ok-netconf then accept
  79.  
  80. set firewall family inet filter ok-ike apply-flags omit
  81. set firewall family inet filter ok-ike term ok-ike from source-prefix-list vpn-peers
  82. set firewall family inet filter ok-ike term ok-ike from protocol udp
  83. set firewall family inet filter ok-ike term ok-ike from port 500
  84. set firewall family inet filter ok-ike term ok-ike then accept
  85.  
  86. set firewall family inet filter ok-esp apply-flags omit
  87. set firewall family inet filter ok-esp term ok-esp from source-prefix-list vpn-peers
  88. set firewall family inet filter ok-esp term ok-esp from protocol esp
  89. set firewall family inet filter ok-esp term ok-esp then accept
  90.  
  91. set firewall family inet filter ok-icmp apply-flags omit
  92. set firewall family inet filter ok-icmp term ok-icmp from protocol icmp
  93. set firewall family inet filter ok-icmp term ok-icmp from icmp-type echo-reply
  94. set firewall family inet filter ok-icmp term ok-icmp from icmp-type echo-request
  95. set firewall family inet filter ok-icmp term ok-icmp from icmp-type time-exceeded
  96. set firewall family inet filter ok-icmp term ok-icmp from icmp-type unreachable
  97. set firewall family inet filter ok-icmp term ok-icmp from icmp-type source-quench
  98. set firewall family inet filter ok-icmp term ok-icmp from icmp-type router-advertisement
  99. set firewall family inet filter ok-icmp term ok-icmp from icmp-type parameter-problem
  100. set firewall family inet filter ok-icmp term ok-icmp then policer manage-5m
  101. set firewall family inet filter ok-icmp term ok-icmp then count ok-icmp
  102. set firewall family inet filter ok-icmp term ok-icmp then accept
  103.  
  104. set firewall family inet filter ok-traceroute apply-flags omit
  105. set firewall family inet filter ok-traceroute term ok-udp-traceroute from protocol udp
  106. set firewall family inet filter ok-traceroute term ok-udp-traceroute from ttl 1
  107. set firewall family inet filter ok-traceroute term ok-udp-traceroute from destination-port 33435-33450
  108. set firewall family inet filter ok-traceroute term ok-udp-traceroute then policer manage-1m
  109. set firewall family inet filter ok-traceroute term ok-udp-traceroute then count ok-udp-traceroute
  110. set firewall family inet filter ok-traceroute term ok-udp-traceroute then accept
  111. set firewall family inet filter ok-traceroute term ok-icmp-traceroute from protocol icmp
  112. set firewall family inet filter ok-traceroute term ok-icmp-traceroute from ttl 1
  113. set firewall family inet filter ok-traceroute term ok-icmp-traceroute from icmp-type echo-request
  114. set firewall family inet filter ok-traceroute term ok-icmp-traceroute from icmp-type timestamp
  115. set firewall family inet filter ok-traceroute term ok-icmp-traceroute from icmp-type time-exceeded
  116. set firewall family inet filter ok-traceroute term ok-icmp-traceroute then policer manage-1m
  117. set firewall family inet filter ok-traceroute term ok-icmp-traceroute then count ok-icmp-traceroute
  118. set firewall family inet filter ok-traceroute term ok-icmp-traceroute then accept
  119.  
  120. set firewall family inet filter ok-dhcp apply-flags omit
  121. set firewall family inet filter ok-dhcp term ok-dhcp from protocol udp
  122. set firewall family inet filter ok-dhcp term ok-dhcp from source-port 67
  123. set firewall family inet filter ok-dhcp term ok-dhcp from source-port 68
  124. set firewall family inet filter ok-dhcp term ok-dhcp from destination-port 67
  125. set firewall family inet filter ok-dhcp term ok-dhcp from destination-port 68
  126. set firewall family inet filter ok-dhcp term ok-dhcp then count ok-dhcp
  127. set firewall family inet filter ok-dhcp term ok-dhcp then accept
  128.  
  129. set firewall family inet filter ok-bfd apply-flags omit
  130. set firewall family inet filter ok-bfd term ok-bfd from protocol udp
  131. set firewall family inet filter ok-bfd term ok-bfd from source-port 49152-65535
  132. set firewall family inet filter ok-bfd term ok-bfd from destination-port 3784-3785
  133. set firewall family inet filter ok-bfd term ok-bfd then count ok-bfd
  134. set firewall family inet filter ok-bfd term ok-bfd then accept
  135.  
  136. set firewall family inet filter ok-dns apply-flags omit
  137. set firewall family inet filter ok-dns term ok-dns from source-prefix-list v4-dns-servers
  138. set firewall family inet filter ok-dns term ok-dns from protocol udp
  139. set firewall family inet filter ok-dns term ok-dns from source-port 53
  140. set firewall family inet filter ok-dns term ok-dns then policer manage-1m
  141. set firewall family inet filter ok-dns term ok-dns then count ok-dns
  142. set firewall family inet filter ok-dns term ok-dns then accept
  143.  
  144. set firewall family inet filter ok-established apply-flags omit
  145. set firewall family inet filter ok-established term ok-established from protocol tcp
  146. set firewall family inet filter ok-established term ok-established from tcp-established
  147. set firewall family inet filter ok-established term ok-established then accept
  148.  
  149.  
  150. Next, let's put the modules into filters we'll actually apply to the loopback.
  151.  
  152. set firewall family inet filter common-services apply-flags omit
  153. set firewall family inet filter common-services term ok-dhcp filter ok-dhcp
  154. set firewall family inet filter common-services term bad-frags filter bad-frags
  155. set firewall family inet filter common-services term ok-icmp filter ok-icmp
  156. set firewall family inet filter common-services term ok-traceroute filter ok-traceroute
  157. set firewall family inet filter common-services term ok-ntp filter ok-ntp
  158. set firewall family inet filter common-services term ok-snmp filter ok-snmp
  159. set firewall family inet filter common-services term ok-ssh filter ok-ssh
  160. set firewall family inet filter common-services term ok-netconf filter ok-netconf
  161. set firewall family inet filter common-services term ok-dns filter ok-dns
  162. set firewall family inet filter common-services term ok-established filter ok-established
  163.  
  164. set firewall family inet filter igp apply-flags omit
  165. set firewall family inet filter igp term ok-ospf filter ok-ospf
  166. set firewall family inet filter igp term ok-igmp filter ok-igmp
  167.  
  168. set firewall family inet filter peering apply-flags omit
  169. set firewall family inet filter peering term ok-ike filter ok-ike
  170. set firewall family inet filter peering term ok-esp filter ok-esp
  171. set firewall family inet filter peering term ok-bfd filter ok-bfd
  172. set firewall family inet filter peering term ok-bgp filter ok-bgp
  173.  
  174. set firewall family inet filter discard-all apply-flags omit
  175. set firewall family inet filter discard-all term all then discard
  176.  
  177. Now, apply that to your lo0.0:
  178.  
  179. set interfaces lo0 unit 0 family inet filter input-list common-services
  180. set interfaces lo0 unit 0 family inet filter input-list igp
  181. set interfaces lo0 unit 0 family inet filter input-list peering
  182. set interfaces lo0 unit 0 family inet filter input-list discard-all
  183. set interfaces lo0 unit 0 family inet address <lo0.0 address>/32
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!